Cover V10, I03
Article

Working with SAINT

Adam Olson

Consistent security auditing is a must for any network of computer systems. This helps ensure that none of the hosts have been compromised and data integrity is still intact. To help the audit process along, a number of tools are available that automate some or most of the work. This article will focus on a product called the Security Administrator's Integrated Network Tool, or SAINT, which aids the administrator in auditing his or her network. SAINT is a fun and useful tool, based on SATAN, that can probe hosts across a network for commonly misconfigured services, outdated versions of software, and bad policy decisions. It has also been certified to detect the SANS Top 10 Internet Security Threats.

When using SAINT, keep in mind that its use should remain strictly on boxes that you have permission to scan and audit. Pointing SAINT at remote networks can be considered an intrusion attempt.

More on SAINT

A quote on the front of the SAINT Web site reads "Indispensable for checking system vulnerabilities." After you play around with it, you can decide what kind of a role it will play in your security plan, but it is definitely a great tool to have and you will probably find it very handy.

What vulnerabilities can SAINT actually detect? According to their Web site, there are just too many to list here. Check out: http://www.wwdsi.com/cgi-bin/vulns.pl for a detailed list, including an explanation of each. Some of the most important vulnerabilities to me are related to Sendmail, POP servers, FTP, SSH, HTTP, and various vendor-specific vulnerabilities. SAINT can detect vulnerablities such as the following:

  • Guessable read and write SNMP community strings
  • SITE EXEC buffer overflows and others in FTP servers
  • Problems within NFS configurations
  • Tests for mail servers that permit relaying
  • Instances of Frontpage that may contain security flaws
  • Tests for the presence of root kits

An addition to SAINT is currently in the works and should be available by the time you read this article. It is called SAINTwriter and should significantly enhance the reporting capabilities of SAINT. Check out all the information on that at: http://www.wwdsi.com/saintwriter/index.html.

Downloading and Compiling

This article refers to the most current release of SAINT, version 3.1.1 beta 2. I chose this version primarily to have the latest and greatest, but also because this is the version certified for the SANS Top 10 Internet Security Threats, and because it includes additional checks for recent problems with BIND (see sidebar). To download the source code, visit: http://www.wwdsi.com/saint. A prerequisite piece of software I recommend downloading is nmap from http://www.insecure.org/nmap. SAINT will work without it, but this is simply a nice program to have for other testing as well. nmap is a port scanner with many features that can glean a great deal of information from networks and individual hosts.

To install and run SAINT, I ran the following commands on a box running RedHat 6.2. To unpack the archive:

 # zcat saint-3.1.1.beta1.tar.gz | tar xvf -
To compile:

 # cd saint-3.1.1
 # ./configure
 # make
 
To install the man pages:

 # make install
 
Otherwise, run the program with:

 # ./saint
 
Without any options, SAINT runs with a local HTML interface, which requires that a browser be installed. If you do not have one, you can run SAINT with the -H flag, and it will display all of the options for running it in text mode.

Setting Up for a Scan

Configuration Management

The initial configuration is done under Configuration Management. To see these options, Click on Config-Mgmt. On this page, you can modify a number of settings, such as time to wait before timing out, how many times to guess a password, how intrusive your scan should be, the proximity of your scan, and many others. For now, let's do some scanning with the default settings.

Target Selection

To select a host or multiple hosts to scan, click on Target Selection. The first time you click on target selection, you will get a message about not contacting Web servers while using SAINT. Bypass this message by reloading the page.

The areas to address on this page are the host(s) to scan, how intrusive the scan should be, and whether or not to include firewall support. To specify the host(s) to scan, either enter the hostname or specify a file containing a list of hostnames. For this example, enter in the hostname of your local machine.

Under Scanning Level Selection, you can decide how hard to scan the host. I recommend not scanning any production systems and when scanning boxes not in production, pick the scanning level based on importance of availability. To minimize the risk of stopping a service, run a Light scan. If you aren't concerned with such things, run a Heavy+ scan!

Finally, if you are behind a firewall, check Firewall Support so that your results will be as accurate as possible. Of course, when running a scan against your local box, this is not a problem. When a firewall is in the middle of you and the box you are scanning, SAINT might receive responses back that would otherwise have been different had a firewall not been involved in the communication. Making SAINT aware of the firewall's presence allows for a more accurate scan.

When you're all set, click on Start the scan. Below is what I received after running a Heavy scan on my local box:

 // Program Output
 
 SAINT data collection
 
 Data collection in progress... 
 
 11/30/00-17:32:01 bin/timeout 60 bin/fping localhost.localdomain
 11/30/00-17:32:01 bin/timeout 20 bin/ddos.saint localhost.localdomain
 11/30/00-17:32:01 bin/timeout 20 bin/finger.saint localhost.localdomain
 11/30/00-17:32:01 bin/timeout 20 bin/ostype.saint localhost.localdomain
 11/30/00-17:32:01 bin/timeout 20 bin/dns.saint localhost.localdomain
 11/30/00-17:32:01 bin/timeout 60 bin/udpscan.saint
 19,53,69,111,137-139,161-162,177,8999,1-18,20-52,54-68,70-110,112-136, \
  140-160,163-176,178-1760,1763-2050,32767-33500
 localhost.localdomain
 11/30/00-17:32:02 bin/timeout 20 bin/rpc.saint localhost.localdomain
 11/30/00-17:32:02 bin/timeout 60 bin/tcpscan.saint
 12754,15104,16660,20432,27665,33270,1-1525,1527-5404,5406-8887,8889-9999 localhost.localdomain
 11/30/00-17:32:35 bin/timeout 20 bin/xhost.saint -d localhost.localdomain:0 localhost.localdomain
 11/30/00-17:32:35 bin/timeout 20 bin/sendmail.saint smtp localhost.localdomain
 11/30/00-17:32:35 bin/timeout 20 bin/printer.saint localhost.localdomain
 11/30/00-17:32:35 bin/timeout 20 bin/relay.saint localhost.localdomain
 11/30/00-17:32:35 bin/timeout 20 bin/statd.saint Linux 2.1.122 - 2.2.14 localhost.localdomain
 11/30/00-17:32:35 bin/timeout 20 bin/mountd.sara localhost.localdomain
 11/30/00-17:32:35 bin/timeout 90 bin/http.saint 1932 localhost.localdomain
 11/30/00-17:33:00 SAINT run completed
 
 Data collection completed (1 host(s) visited). 
 
 // End Program Output
 
As you can see, a number of scans were run including UDP, TCP, DNS, HTTP, and RPC. SAINT will also try to detect the remote software platform and version. Click on Continue with report and analysis to get an overview of your scan results.

Analyzing the Results

If you clicked on Continue with report and analysis, you should now be looking at a screen titled Data Analysis. You can get to the same screen by clicking on Data Analysis on the menu bar. Your screen will look like Figure 1.

My favorite link on this page is the Vulnerabilities By Approximate Danger Level. This page categorizes the vulnerabilities found in groups named Critical, Major, Potential, and the like. It is a very easy way to see which vulnerabilities should be addressed first and which may lead to serious problems. As you can see, the other options include the same basic information, but categorized in different ways. You also have the option of viewing vulnerabilities by type or by quantity. Further down, you can query individual or groups of hosts based upon a certain attribute. The Vulnerabilities By Approximate Danger Level page will look like Figure 2.

The vulnerability groups will be ordered on the page based on their urgency; the most urgent at the top. By drilling down into each vulnerability that was found, you will find that a description of each one is provided, Common Vulnerability Exposures (CVE) and CERT advisories are included, as well as possible resolutions. For example, clicking on the Root Access via Buffer Overflow link would result in the output in Figure 3.

You should find plenty of information here that will get you on your way to closing the vulnerabilities found, either by a software fix or by just stopping the service. Bringing up the CVE or CERT advisory will include information on exact exposure, workarounds, and other pertinent information.

Conclusion

SAINT is a very informative and helpful tool that will aid any administrator in auditing their network for security vulnerabilities. The inclusion of detailed vulnerability descriptions and additional references is extremely useful and usually allows for a very pointed, direct fix to a possible problem. For additional information and new versions, visit SAINT's Web site at: http://www.wwdsi.com/saint.

Adam Olson lives in the Bay Area. He has helped build a successful ISP (http://www.humboldt1.com), designed and configured portions of the California Power Network while working at MCI WorldCom, and is currently working for a startup in Santa Clara (http://www.quaartz.com). Adam hopes to one day have a rock band. He can be reached at: adamo@humboldt1.com.